The DeFi ecosystem faced a major setback when a critical flaw was discovered in certain versions of the Vyper programming language used for Ethereum contracts. This vulnerability allowed malicious actors to exploit multiple DeFi projects, resulting in the theft of millions in cryptocurrency.
The issue was related to a malfunctioning reentrancy lock, affecting at least four liquidity pools on Curve Finance. These pools, namely aETH/ETH, msETH/ETH, pETH/ETH, and CRV/ETH, were targeted, while others were not affected.
Various DeFi projects suffered significant losses due to the attacks. Alchemix’s alETH-ETH pool lost $13.6 million, PEGd’s pETH-ETH pool lost $11.4 million, and Metronome’s sETH-ETH pool was hacked for $1.6 million. Additionally, over $22 million worth of CRV tokens were drained.
The situation also impacted CRV’s price, which dropped by over 12%. There were concerns about the potential impact on Aave’s protocol, as the falling CRV price could force Curve Finance’s founder to liquidate a $70 million borrowing position on Aave.
BlockSec, a smart contract auditing firm, warned that all pools using wrapped Ether (wETH) could be at risk of similar attacks due to the faulty reentrancy lock.
To prevent further incidents, DeFi projects using Vyper should update their code immediately and implement additional security measures to protect user funds. This incident underscores the importance of robust security practices and constant vigilance in the DeFi community.
Also Read: Arcadia Finance Suffers $455K DeFi Hack on Two Networks
